Next Page >>
address space
Monitor makes memory pages mapped above the 2GB available with read or
read/write access to user-space programs running in a Guest operating
system. By leveraging this vulnerability it is possible to bypass
security mechanisms of the operating system such as Data Execution
Prevention (DEP) [1], Safe Structured Error Handling (SafeSEH) [2] and
Address Space Layout Randomization (ASLR) [3] designed to prevent
exploitation of security bugs in applications running on Windows
operation systems.
Thus applications with bugs that are not exploitable when running in
non-virtualized operating systems become exploitable if running within a
You can also use the "show running-config | include ip nat" command to
verify if NAT has been enabled on the device.
In NAT traditional configurations, the term "inside" refers to those
networks that will be translated. Inside this domain, hosts will have
addresses in one address space, while on the "outside", they will
appear to have addresses in another address space when NAT is
configured. The first address space is referred to as the local
address space and the second is referred to as the global address
space. The "ip nat inside" and "ip nat outside" interface commands must
be present on the corresponding router interfaces in order for NAT to
Alternatively, you can use the show running-config | include ip nat
command to verify if NAT has been enabled on the router interfaces.
Note: With reference to NAT, the term "inside" refers to those
networks that will be translated. Inside this domain, hosts will have
addresses in one address space, while on the "outside", they will
appear to have addresses in another address space when NAT is
configured. The first address space is referred to as the local
address space and the second is referred to as the global address
space. The ip nat inside and ip nat outside interface commands must
be present on the corresponding router interfaces in order for NAT to
trusted source address.
The iACL policy denies unauthorized ICMP packet types, including echo
request, echo-reply, host-unreachable, traceroute, packet-too-big,
time-exceeded, and unreachable, that are sent to affected devices. In
the following example, 192.168.60.0/24 is the IP address space that
is used by the affected devices, and the host at 192.168.100.1 is
considered a trusted source that requires access to the affected
devices. Care should be taken to allow required traffic for routing
and administrative access prior to denying all unauthorized traffic.
Whenever possible, infrastructure address space should be distinct
The aforementioned document is available at:
<http://www.ietf.org/id/draft-gont-opsec-ipv6-host-scanning-00.txt>
The Abstract of the document is:
---- cut here ----
IPv6 offers a much larger address space than that of its IPv4
counterpart. The standard /64 IPv6 subnets can (in theory)
accommodate approximately 1.844 * 10^19 hosts, thus resulting in a
much lower host density (#hosts/#addresses) than their IPv4
counterparts. As a result, it is widely assumed that it would take a
tremendous effort to perform host scanning attacks against IPv6
deny pim any 192.168.60.0 0.0.0.255
!
!-- Explicit deny ACE for traffic sent to addresses configured within
!-- the infrastructure address space
!
deny ip any 192.168.60.0 0.0.0.255
!
...
Aborted
If an attacker ever stumbles upon a setuid application with an
overflow that's caught by FORTIFY_SOURCE, this may be used to read the
application's address space (which may contain sensitive information),
even if code execution is mitigated. Because it relies on the
existence of another vulnerability, I wouldn't consider this a serious
issue by any means, but it's probably something that's worth fixing
eventually.
root privileges on the XFree86 server (CVE-2007-6427).
An information disclosure flaw was found in the XFree86 server's
TOG-CUP extension that could allow a malicious authorized client to
cause a denial of service (crash) or potentially view arbitrary memory
content within the XFree86 server's address space (CVE-2007-6428).
Two integer overflow flaws were found in the XFree86 server's EVI
and MIT-SHM modules that could allow a malicious authorized client
to cause a denial of service (crash) or potentially execute arbitrary
code with the privileges of the XFree86 server (CVE-2007-6429).
May 6-11, 2012, Quito, Ecuador
http://lacnic.net/en/eventos/lacnicxvii/
LACNIC (http://www.lacnic.net) is the international organization based
in (Uruguay) that is responsible for administrating IP address space,
Reverse Resolution, Autonomous System Numbers and other resources for
the region of Latin America and the Caribbean on behalf of the Internet
community.
The ?7th Network Security Event for Latin America and the Caribbean?
CVE-2007-3739
Adam Litke reported a potential local denial of service (oops) on
powerpc platforms resulting from unchecked VMA expansion into address
space reserved for hugetlb pages.
CVE-2007-3740
Steve French reported that CIFS filesystems with CAP_UNIX enabled
were not honoring a process' umask which may lead to unintentinally
CVE-2007-1661
Multiple patterns of the form \X?\d or \P{L}?\d in non-UTF-8 mode
could backtrack before the start of the string, possibly leaking
information from the address space, or causing a crash by reading out
of bounds.
CVE-2007-1662
A number of routines can be fooled into reading past the end of an
root privileges on the X.org server (CVE-2007-6427).
An information disclosure flaw was found in the X.org server's TOG-CUP
extension that could allow a malicious authorized client to cause
a denial of service (crash) or potentially view arbitrary memory
content within the X.org server's address space (CVE-2007-6428).
Two integer overflow flaws were found in the X.org server's EVI and
MIT-SHM modules that could allow a malicious authorized client to
cause a denial of service (crash) or potentially execute arbitrary
code with the privileges of the X.org server (CVE-2007-6429).
!--- Note: If the router is acting as a NTP broadcast client
!--- via the interface command "ntp broadcast client"
!--- then broadcast and directed broadcasts must be
!--- filtered as well. The following example covers
!--- an infrastructure address space of 192.168.0.X
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
host 192.168.0.255 eq ntp
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
CVE-2007-3739
Adam Litke reported a potential local denial of service (oops) on
powerpc platforms resulting from unchecked VMA expansion into address
space reserved for hugetlb pages.
CVE-2007-3740
Steve French reported that CIFS filesystems with CAP_UNIX enabled
were not honoring a process' umask which may lead to unintentinally
http://lacnic.net/en/eventos/lacnicxvii/
LACNIC (http://www.lacnic.net) is the international organization based
in Montevideo (Uruguay) that is responsible for administrating the IP
address space, Reverse Resolution, Autonomous System Numbers and other
resources for the region of Latin America and the Caribbean on behalf of
the Internet community.
The "7th Network Security Event for Latin America and the Caribbean"
(LACSEC 2012) will be held in Quito, Ecuador, within the framework of
CVE-2007-3739
Adam Litke reported a potential local denial of service (oops) on
powerpc platforms resulting from unchecked VMA expansion into address
space reserved for hugetlb pages.
CVE-2007-3740
Steve French reported that CIFS filesystems with CAP_UNIX enabled
were not honoring a process' umask which may lead to unintentinally
network behind it.
#1 Access from the Internet to device enabled by default
Anyone is able to automatically detect devices, which are online and
conduct the attack. It's simplified even more as the oparator IP address
space is reserved for the services using this device.
#2 No HTTPS support for the web interface
Communication to the web interface can be sniffed by the attacker.
#3 System doesn't force administrator to change default password upon
UNIX-domain sockets, also known as "local" sockets, are a mechanism for
interprocess communication. They are similar to Internet sockets (and
utilize the same system calls) but instead of relying on IP addresses
and port numbers, UNIX-domain sockets have addresses in the local file
system address space.
II. Problem Description
When a UNIX-domain socket is attached to a location using the bind(2)
system call, the length of the provided path is not validated. Later,
aProbably. Most systems used here have got a a "localhost" line in
/etc/hosts, so this doesn't apply.
> Would it make sense to update RFC 2109's rules to special case
> records resolving to 127.0.0.1 or ::1 (or, more generally, any
> address space that is not considered globally unique) unless both
> names resolve to addresses in the same block.
It's usually not such a great idea to encode the IANA allocation
policies into client software. There are numerous sites that run with
their own address allocation, and this could have an adverse impact on
to read memory from arbitrary locations in server memory.
III. ANALYSIS
Exploitation allows an attacker to read arbitrary memory within the X
Server's address space.
By itself, the impact of this vulnerability is minimal. However, when
coupled with a code execution vulnerability, this vulnerability can be
used to greatly increase the reliability of an exploit.
root privileges on the X.org server (CVE-2007-6427).
An information disclosure flaw was found in the X.org server's TOG-CUP
extension that could allow a malicious authorized client to cause
a denial of service (crash) or potentially view arbitrary memory
content within the X.org server's address space (CVE-2007-6428).
Two integer overflow flaws were found in the X.org server's EVI and
MIT-SHM modules that could allow a malicious authorized client to
cause a denial of service (crash) or potentially execute arbitrary
code with the privileges of the X.org server (CVE-2007-6429).
localhost is in the domain that is looked up first. This still seems
like a valid thing to do, rather than a misconfiguration.
Would it make sense to update RFC 2109's rules to special case
records resolving to 127.0.0.1 or ::1 (or, more generally, any
address space that is not considered globally unique) unless both
names resolve to addresses in the same block.
David.
May 17-20, 2011, Cancun, Mexico
http://lacnic.net/en/eventos/lacnicxv/index.html
LACNIC (http://www.lacnic.net) is the international organization based
in (Uruguay) that is responsible for administrating IP address space,
Reverse Resolution, Autonomous System Numbers and other resources for
the region of Latin America and the Caribbean on behalf of the Internet
community.
The “6th Network Security Event for Latin America and the Caribbean”
You don't need administrator privileges. If the VM is running with the
same privileges of the attacker, he can alter the program state of the VM.
The most obvious way with VMWare is to pause the machine. This writes out
physical memory as a .vmem file. Alter the file and resume VMWare. Less
obviously you can use the OS debugging APIs, or inject a DLL into the
address space of the VM process, or map its memory using memory management
APIs, or exploit a vulnerability in the VM process, or.....
Similar attacks can be performed by altering the disks or attaching
malicious hardware. You could point out that the guest OS need not
trust the disk or the hardware and you would be right. However, all
Symantec AntiVirus Corporate Edition 10.2.x
Symantec AntiVirus for Linux 10.x
Details
Symantec was notified of a potential denial of service vulnerability in the device driver SYMTDI.SYS. A specially crafted IRP sent to an IOCTL handler function could allow memory to be overwritten because the address space was not properly validated in some versions of the driver. A potential attacker must be logged into the computer to attempt an exploit. A successful exploit of this vulnerability could potentially allow that user to crash their computer.
Symantec Response
Symantec engineers have verified that the vulnerability exists in the products listed in the Affected Products section above, and have provided updates for all affected products. Consumer (Norton) products can be updated by running LiveUpdate. Symantec AntiVirus Corporate Edition customers can obtain the update from the Symantec web site.
Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue.
While it is theoretically possible for an attacker to execute
arbitrary code by exploiting this vulnerability, it is believed to be
more difficult than exploiting other sorts of memory management flaws
such as double-free or heap buffer overflow events. Also, in order to
exploit this vulnerability to remotely execute code, an attacker must
ensure that the uninitialized pointer points to valid address space,
otherwise a null-dereference crash will typically occur.
Some operating systems have hardened malloc implementations that are
not susceptible to this problem. These operating systems are still
vulnerable to a denial of service if the uninitialized pointer points
an attacker to read arbitrary areas of memory in the X server process.
III. ANALYSIS
Exploitation allows an attacker to read arbitrary memory within the X
Server's address space. By itself, the impact of this vulnerability is
minimal. However, when coupled with a code execution vulnerability,
this vulnerability can be used to greatly increase the reliability of
an exploit. Additionally, this vulnerability can be used to crash the
server. If the server automatically restarts, this can be useful since
it resets the state of the server to a known state.
UNIX-domain sockets, also known as "local" sockets, are a mechanism for
interprocess communication. They are similar to Internet sockets (and
utilize the same system calls) but instead of relying on IP addresses
and port numbers, UNIX-domain sockets have addresses in the local file
system address space.
FreeBSD contains "linux emulation" support via system call translation
in order to make it possible to use certain linux applications without
recompilation.
This advisory makes some reasonable assumptions about the platform.
We assume that attempts to invoke malloc() to allocate nearly SIZE_MAX
bytes will fail, which is reasonable for conventional memory
architectures. We also assume that the process has less than UINT_MAX
contiguous bytes of heap address space mapped, which is reasonable
given likely hardware and operating system configurations.
The Kerberos protocol specifications define the format of valid
ciphertexts encrypted with AES (in RFC 3962) or RC4 (in RFC 4757)
ciphers. Valid ciphertexts have a minimum length, as they include
root privileges on the X.org server (CVE-2007-6427).
An information disclosure flaw was found in the X.org server's TOG-CUP
extension that could allow a malicious authorized client to cause
a denial of service (crash) or potentially view arbitrary memory
content within the X.org server's address space (CVE-2007-6428).
Two integer overflow flaws were found in the X.org server's EVI and
MIT-SHM modules that could allow a malicious authorized client to
cause a denial of service (crash) or potentially execute arbitrary
code with the privileges of the X.org server (CVE-2007-6429).
Next Page>>
|
